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ABSTRACT- An efficient and fully robust group key agreement protocol (GKA) enables a group of authenticated users to 
communicate over a reliable broadcast communication medium. All non-faulty nodes will form a cyclic group and hence 
have the same view of the message which is broadcasted and the faulty nodes cannot view that message. The standard 
encryption-based group key agreement protocol can be robust against an arbitrary number of node faults, because the 
performance deteriorates if some nodes fail during the protocol execution..By making each node to enter with the help of a 
nonce which is an arbitrary number that is used only once in a cryptographic communication and it will protect the 
malicious insiders that may disturb the group communication. The elliptic curve digital signature algorithm is used for 
establishing the group key and the proposed protocol has O(log n)-sized messages and expected round complexity close to 2, 
assuming random node fault and also it is secure under the (standard) Decisional Square Diffie-Hellman assumption. 
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I. INTRODUCTION 

The growth of group applications triggers the need 
for group-oriented security mechanisms over insecure 
network channels. The applications include IP telephony, 
collaborative workspaces, secure conferences, as This 
all as dynamic coalitions common in law enforcement 
and disaster rescue scenarios. Standard security services 
required in such group settings, e.g. confidentiality of 
group-wide broadcasts, can be very efficiently achieved 
if all group members share a group- wide secret key. A 
group key agreement protocol (GKA) allows n players 
to create such shared secret key. There are several 
widely- known efficient constant-round group key 
agreement proto- cols [4, 8], but their performance 
degrades if some of the participating players fail during 
the protocol execution. This is a serious concern in 
practice, for example for mobile nodes that 
communicate over a wireless media, but which can loos 
connectivity during protocol execution. 

Assuming a reliable broadcast medium, a GKA 
protocol can trivially be made robust to node failures by 
re-starting the protocol from scratch whenever a faulty 
player is detected. However, this would multiply all 
protocol costs by the number of faults, including the 
round complexity of the protocol. Robust constant- 
round GKA protocols can be achieved by executing 
parallel instances of any standard, i.e. non-robust, 
constant-round GKA protocol, one instance for every 
possible subset of non-faulty players. The early design 
of contributory group key agreement (GKA) protocols 
focuses on the efficiency of initial GKA. Efficiency 
metrics include computation, computation and round 
complexities. Although each metric is important in 
practice, the round complexity can 



be more crucial, particularly in the distributed 
computing environment. 

Several well known efficient two-round GKA 
protocols are proposed in [12], [4]. However, their 
performance degrades if faults occur during the protocol 
execution. Faults cause the normal protocol (without 
robustness) to be restarted from the scratch. To improve 
performance, current GKA protocols must be made 
robust. In this context, robustness refers to the ability to 
complete the protocol, despite player and/or 
communication faults. Robust GKA is a serious concern 
in practice. Mobile nodes that communicate over a 
wireless medium can loos connectivity. Router failures, 
causing network partitioning (due to a mis-configuration 
or congestion) as malicious attacks, also increases the 
failure probability. List some motivating examples: 

• Consider an emergent situation where some secure 
meeting for rescue missions and military 
negotiations must be held prior to a special time. 
In that case, robust GKA is prerequisite to 
minimize damage. 

• Group communication (such as instant messaging 
and video- and audio- conferencing) operates on a 
real-time setting. Thus, robust GKA is crucial to 
improve the overall QoS. 

• Security policies usually dictate that group keys 
must be refreshed periodically. Thus, a GKA 
protocol needs to be re-run (perhaps often), and 
improving GKA performance is essential. 

• Consider a group of entities (routers or servers) in 
extreme environments, such as deep-space, that 
lack continuous network connectivity. In such a 
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setting, re-starting a GKA protocol, 
because a single participant failed, results in 
inordinately expensive costs. 

Assuming a reliable broadcast medium, a GKA 
protocol can trivially be made robust to node failures by 
restarting the protocol from scratch, whenever a faulty 
player is detected. However, this would multiply all 
protocol costs by the number of faults, including the 
round complexity of the protocol. Robust constant- 
round GKA protocols can be achieved by executing 
parallel instances of any standard, i.e., non-robust, 
constant-round GKA protocol, one instance for every 
possible subset of non-faulty players. Such protocol 
would be robust and constant-round, but its 
communication and computation costs would grow by 
an inadmissible factor of 2n. Another robustness 
problem is caused by a malicious player, who sends 
arbitrary messages not correctly following the protocol. 
The goal of the adversary is to disrupt the protocol. One 
may think that message/player authentication can 
prohibit from sending random messages. However, 
authentication examines only authenticity of 
message/player, but does not determine if the player has 
sent the correct form of messages. In fact, well-known 
authenticated GKA protocols [3], [9] do not address the 
protocol disruption attack due to the malicious player. 



II. 



SECURITY MODEL 



Our security model is a standard model for Group 
Key Agreement protocols executed over authenticated 
links. Since the players in our GKA protocols do not use 
long-term secrets, This define GKA security. 

A. Authenticated Links. 

Our paper is concerned with Group Key Agreement 
(GKA) protocols in the authenticated links model. Note 
that there are standard and inexpensive compilation 
techniques which convert any group key agreement 
protocol into an authenticated group key agreement by 
(1) deriving a unique session-specific nonce at the 
beginning of the protocol and (2) having each player 
sign its message together with this nonce. 

B. Broadcast Communication and Player Failure. 

This assume that all communication within the 
protocol takes place over reliable (and authenticated) 
broadcast channel, where all the non-faulty players have 
the same view of the broadcasted message (which can 
be null if the sender is faulty). This assume weak 
synchrony, i.e., the players have synchronized clocks 
and execute the protocol in synchronized rounds, and 
the messages from the non-faulty players must arrive 
within some time window, which assume is large 
enough to accommodate clock skews and reasonable 
communication delays. The assumption of reliable 
broadcast communication might be realistic for certain 
communication scenarios, e.g. Ethernet or wireless 
communication between close-by players. Otherwise, 



reliable broadcast must be implemented via a consensus 
protocol. 

Assume an honest but curious adversary which can 
additionally impose arbitrary stop faults on the 
(otherwise honest) players participating in the protocol. 
Additionally, the adversary can make each player stop at 
an arbitrary moment in the protocol execution, but any 
such node failure cannot violate the contract imposed by 
the reliable broadcast assumption. Throughout the paper 
assume that these stop faults are scheduled in arbitrary 
way by the adversary, except in the last section when 

Definition 1. (GKA Security) Consider an adversary 
algorithm A which observes an execution of the GKA 
protocol between n honest players, and, depending on 
bit b, is given the session key computed by this protocol 
(if b = 1) or a value chosen at random from the same 
domain as the sessions keys (if b = 0). The adversary A 
outputs a single bit b'. This define adversary's 
advantage in attacking the GKA protocol as: 



GKA A Adv =IPr[b': 



b] 



1/2 I 
(1) 



where the probability goes over the random execution of 
the protocol, the adversary A, and the random choice of 
bit b. This call a GKA protocol (o, t)-secure if for all 
adversaries A who run in time t it holds that GKA A Adv < 
€. 

III. PROPOSED SYSTEM MODEL 
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IV. CRYPTOGRAPHIC SETTING 

Let G be a cyclic group of prime order q, and let g 
be its generator. This assumes the DDH and Square- 
DDH problems are hard in G. For example, G could be 
a subgroup of order q in the group of modular residues 
Z p s.t. p - 1 divides q, Ipl = 1024 and Iql = 160, or it 
can be a group of points on an elliptic curve with order q 
for Iql =160. 
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Definition 2. The DDH problem is (€, 
t)-hard in G if for every algorithm A running in time t 
This have: 



BDGKA protocol proceeds in two rounds (see Fig. 1): 
First, each player Pi broadcasts a public counterpart z' = 
g" of its contribution ti to the key. 



(2) 



I Pr[x, y <- Zq : A(g, gx, gy, gxy) = 1] - 
Pr[x, y, z <- Zq : A(g, gx, gy, gz) = 1] 



< € 



Definition 3. The Square-DDH problem is (€, t)-hard in 
G if for every A running in time t have: 



I Pr[x «- Zq : A(g, gx, gx2 ) = 1] - 
Pr[x, z <- Zq : A(g, gx, gz) = 1] 



<€ 
(3) 



V. ROBUST GROUP KEY AGREEMENT 
PROTOCOLS 

This describe our two-rounds robust GKA protocol 
that tolerates T faults with 0(T)-sized messages, in three 
steps: In Sections 4.1 and 4.2, solely for presentation 
purposes, This explain how the non robust GKA 
protocol of Burmester-Desmedt (BD) [4] generalizes to 
a (fully) robust 2-round GKA protocol at the cost of 
increasing the length of the constant-sized messages of 
the BD protocol to 0(n2)-sized messages. This call the 
robust generalization of the BD protocol BD-RGKA and 
show that the protocol remains secure under the same 
DDH assumption required for the underlying BD 
protocol. This show that the BD-RGKA protocol can be 
modified to retain full robustness with message size 
reduced to 2n group elements. This protocol remains 
secure under the same Square-DDH assumption, but its 
resilience is reduced to O(T) faults. (More precisely, the 
T-RGKA protocol tolerates all faults except two 
separate sequences of T or more consecutive faults.) 



[Round 1): 

Each player Pj picks a random t j 6 Z g and broadcasts z, - g li . 
[Round 2]: 

Each Pi broadcasts its gadget value = 
(zi+i/x,-!)^, where the indices are taken in a cycle. 
[Key Computation!: 

Each Pi computes the key as sk, = [H-i) nti • X,"" 1 - 

^C+i 2 ■ ■ ■ x i-i' where x i = x M,«,Hi]- 

(Note that for all i we have sk; = 9 «i*2+«3*3+-+Wi.) 



Fig.l. Burmester-Desmedt's Group Key Agreement 
Protocol (BD GKA). 
Finally, This exemplify the usefulness of the 
efficiency versus fault-tolerance trade-off offered by the 
T-RGKA protocol, by showing that it implies a fully 
robust GKA protocol with 2 + 5 expected rounds and 
messages of size 0(log n + log(l/ 5), if the node faults 
are random and occur at a constant rate. 

A. Overview: Adding Robustness to Burmester- 
Desmedt GKA 

Since our fault-tolerant protocol is based on the 
GKA protocol proposed by Burmester and Desmedt 
(BD) [4], This need to first overview the BDGKA 
protocol to describe modifications This have made. The 



In the second round, each Pi broadcasts X[i-l,I,i+l] 
= g tltl+1 =ti -"' (which it can compute as X [i-l,I,i+l] = 
(zi+1 = zi-1 )") . Given the set of values 
X[n,l,2],X[l,2,3] . . .;X[n-l;n,l], each player Pi can use 
its contribution ti to locally compute the common 
session key sk = g ut2+t2t3+ - +m \ This will call value X[i- 
1 ,1,1+ 1 ] a gadget, the titi+1 part of its exponent the left 

hand, and the ti 1 ti part of the exponent, which is 

multiplied by minus one, the right hand of this gadget. A 
gadget X[i- l,I,i+l] corresponds to a path of length two 
connecting nodes Pi-1, Pi, and Pi+1. Using this graph 
terminology, This say that two gadgets are connectable 
if the left hand of one gadget is the same as the right 
hand of the other. For example, for every i, gadgets X[i- 
l,I,i+l] and X[i,i+l,i+2] are connectable. This say that 
a sequence of gadgets forms a path through the graph, if 
each two consecutive gadgets in the sequence are 
connectable. By inspecting the formula for deriving the 
secret key in the BD GKA protocol, This can observe 
that each player derives the same key because the set of 
gadgets broadcasted in the 



Gadgets X[ 4 ,i,2], X^ i2 $, X [2M] , %4,i], sent in a BD 
GKA protocol involving four players, form a 
Hamiltonian cycle in the graph of four nodes. 



Fig.2. Gadgets in a BD GKA Protocol for n = 4. 

second round of the protocol forms a Hamiltonian cycle 
(a.ka. a "circular path") through the graph of all players. 
In Fig. 2, This show an example of four gadgets X 
[4,1,2], X[l,2,3], X[2,3,4], and X[3,4,l], created by the 
BD GKA protocol, executed in a group of four players. 

B. Robust GKA with O(n) Message Size 

This show the GKA protocol which follows the 
above idea, denoted BD-RGKA, in Fig. 3. The protocol 
is robust against any set of faults, and it remains secure 
under the same DDH assumption used by the basic BD 
GKA protocol. In other words, broadcasting all the 
additional information in the second round does not 
diminish the security of the protocol. Note that in the 
BD GKA protocol the session key sk = g tlt2+t2t3 +- +tntl i s 
computed according to a fixed circular order among the 
participating players, while in the BDRGKA protocol 
the session key is computed as sk = gtalta2 + ta2ta3 
+...+tamtal , where Pal , . . . , Pam are players that 
remain alive after the second broadcast round. Note that, 
since This assume reliable broadcast and synchrony, 
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each player has the same view of the list 
of alive players and their messages. The alive players 

are ordered s.t. al < a2 < < am, but this order is 

arbitrary 



The expected number of rounds is then 5= 2(1/(1 - 
f)) -2 = 2f=(l - f)~2f. Therefore, by (1), This can upper- 
bound threshold T necessary to achieve parameters 5 
and V as T< (log n + 1/2 log(l/ 5 ))/ log(l/V). 



[Round 1]: 

1.1 Each Pi picks a random U £ Z q and broadcasts z\ = g tl . 
[Round 2]: 

2.1 Let AL be the list of indices of all players who complete 
Round 1. 

2.2 Each F; computes X[ kri j] = (zj/z^)*' for all pairs (k,j) 
s.t. k,j e AL and k / j. 

2.3 Each Pi broadcasts {Jf[fc,ij]}fc,j€AL. 
[Key Computation]: 

3.1 Let AL be the list of indices of all players who complete 
Round 2. 

3.2 Each Pi sorts the players in AL in the same order; wlDg, 
we assume that the live players are ordered as {P ai , f*a m }, 
where m < n. 

3.3 Each P„, computes the session key sk a; = (« ot _ 1 ) m '*°i ■ 
(Note that sk ai = g'-i '•a+'oj'-s + ■■+'«.„, ! =i .) 



Fig. 3.The BD-RGKA Protocol: Robust GKA with 
0(n2)- sized messages. 



C. Fully Robust GKA Protocol with Oflog n) Messages 
in the Random Fault Model 

In this section, This show another robust GKA 
protocol, called RGKA', which is fully robust but not 
constant-round. RGKA' simply repeats the T-RGKA 
protocol above, with some parameter T, which This fix 
below, until T-RGKA succeeds. (In fact, only the 
second round of the T-RGKA protocol needs to be 
repeated, since the security of the BD-RGKA protocol 
implies that the ame contribution ti can be used in all 
these instances of the T-RGKA protocol.) Repeating the 
protocol increases the number of rounds and the 
protocol communication complexity. However, This 
will argue that if the faults are random and occur with 
rate _, then for any parameter _, the expected number of 
rounds in the RGKA' protocol can be 2 + 5 , and the 
expected communication complexity per player can be 
2(T + 5) group elements, for T[0((log n + 
log(l/5))=log(l/v)). Assuming that the node faults are 
random and that they are independent of each other 
might seem unrealistic, but recall that the order among 
the participating players can be determined by the 
messages sent in the first round of the protocol, and, 
therefore, the usual dependencies between failures of 
nodes, which are physical neighbors, do not apply to the 
neighbors in the logical order created by the protocol. 

This claim that if we set T ~ (log n+ 1/2 log(l/ 
5))/log(l/v) then the expected number of rounds in 
RGKA' is 2 + 5. Since a T-RGKA protocol succeeds 
exists except if at least two sequences of T consecutive 
nodes fail, the probability that a single execution of the 
T-RGKA protocol fails is upper-bounded by 



f<n 2 /2* V 2T . 



(4) 



D. Robust GKA with O(n) Message Size 

Step 1: n2! 2n Reduction by Node-Doubling. The 
BDRGKA protocol achieves full robustness by 
increasing the message size by a factor of n2, but this 
overhead can be reduced to the factor of n as follows: 









pA — / 


■N P 
P 


outHf — \Wm) 




\Wi — \& 


(a) General Model 




b) Node-doubling Model 



Fig. 4. Two different models of fully connected network 
for three players 

Step 2: Reusing the Secret Contributions. This can 
reduce the message size of the above protocol by a 
factor of two, by having the two virtual nodes U2i-1 and 
U2i use the same secret contributions t2i-l = t2i. This 
change implies that the gadgets created for the in nodes 
are inverses of the corresponding gadgets created for the 
out nodes. 



[Round 1]: same as in BD-RGKA in Figure 3. 

[Round 2]: same as in BD-RGKA in Figure 3, except: 

2.2 Each P\ computes X^ = [zijz^ for ai k £ AL. 
Define 1^ as (fy^) -1 . 

[Key Computation]: same as in W-EU, except: 

3.3 Each P H computes sk fli = ( Vl ) m ^ -XJ" 1 ■ XJ" 2 ■ 
■ ■ ■ • X H _ 2 as in the BD-RGKA protocol, but here X a{ is defined 

(Note that the resulting key is exactly as in WMU protocol 

X a . =3 V a i+r ta i-i*\) 



Fig. 5. The RGKA Protocol: Robust GKA with O(n)- 
sized messages. 

E. Further Reduction of Message Size 

In this section, This show two robust GKA 
protocols, TRGKA and RGKA'. The first protocol, T- 
RGKA, is the main 
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Fig.6. Examples of the T-th power of a circle. 

VI. ROBUST GROUP KEY AGREEMENT 
EXTENSION 

In this section, extend the robust GKA protocol to 
withstand the protocol disruption attack that the 
malicious player may attempt. While the basic robust 
GKA protocol considers missing gadgets (due to 
network or device failures), the extended robust GKA 
protocol additionally examines whether or not the 
gadgets generated by each player are consistent with the 
protocol algorithm. This refer to a gadget not correctly 
generated as a faulty gadget. Recalling that without a 
sequence of connectable gadgets, which covers the set 
of all nodes, the key agreement protocol fails, it is clear 
that a faulty gadget would lead to the protocol failure as 
well. However, the RGKA protocol can be still robust 
by excluding it, if a faulty gadget can be detected. In the 
following section, This illustrate a method to detect 
faulty gadgets and then construct two RGKA extensions 
by applying the method to the RGKA protocol. The 
detection method is also accordant with the T-RGKA, 
but This do not explain it because description on the 
RGKA protocol setting is enough. 

VII. EFFICIENCY ANALYSIS 

This first summarize the relevant aspects of protocol 
efficiency. Performance Criteria. 

• Resilience: the number or pattern of faults that the 
protocol tolerates. 

• Round Complexity: the number of rounds. 

• Communication Complexity: the (expected) total bit- 
length of all messages sent in the protocol. (Since This 
assume a broadcast communication medium, This 
measure the bit-length of messages sent over a broadcast 
channel.) 

• Computational Complexity: the amount of 
computation that must be performed per player in the 
protocol. This will restrict us to counting only the 
number of cryptographic operations (e.g. 
exponentiations and public-key operations) since these 
operations dominates the computational cost. 



This compare the protocols This propose with non- 
robust BD protocol [4] and the encryption-based group 
key agreement protocol - the simplified version of CS 
protocol [5]. Table 1 compares efficiency of the BD, the 
encryption-based GKA, denoted by "CS", and the BD- 
RGKA, RGKA, T-RGKA, and RGKA' protocols shown 
in the previous section. Of these six protocols, BD is not 
robust against even a single failure, T-RGKA is robust 
against at least 2T failures (see subsection 

The conclusion we'd like to draw from this 
comparison is the following. First of all, all protocols 
run in two rounds, and RGKA' runs in expected 2+5 
rounds, for any 5, if T is set as 0(log n+log(l/5)). (See 
Section 4.4.2 above for more discussion.) Given the 
comparable round complexities, the remaining 
important criterion is communication complexity. It is 
also computational complexity per player, but as the 
table shows, the latter follows the communication very 



TABLE I 

Complexity Comparison Between Provably Secure 
Protocols For Robust GKA Protocols 





Rounds 


Communication 


Computation 


BD 


2 


2nt 


3 ex 


CS 


2 


(n + n2)t 


2n pk 


BD- 


2 


n3t 


n2 ex 


RGKA 








RGKA 


2 


n2t 


n ex 


T- 


2 


(1 +2T)nt 


(2 + 2T) ex 


RGKA 








RGKA' 


2 + 6 


Q(log n, log(l/8))nt 


0(log n) ex 



VIII. CONCLUSION 

In this paper, proposed a novel 2-round Group Key 
Agreement protocol that tolerates up to T node failures 
using (reliable) broadcasts of 0(T)-sized messages. To 
authors' knowledge, it is the first GKA protocol that 
offers a natural trade-off between message size and the 
desired level of fault tolerance. In particular, This 
showed that the new protocol implies a fully-robust 
group key agreement with 0(log n)-sized messages and 
expected round complexity close to 2, assuming random 
faults. The new protocol is secure under the (standard) 
Decisional Square Diffie-Hellman assumption. 
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